Hacking the Malware– A reverse-engineer’s analysis
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from.
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I also describe an approach to setting up a flexible laboratory environment using virtual workstation software such as VMware, and demonstrate the process of reverse engineering a worm using a range of system monitoring tools in conjunction with a disassembler.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
Source: Hacking the Malware– A reverse-engineer’s analysis, by Rahul Mohandas. Pointed out by B on IRC. Thanks!
IM Worms in 2006
I've written about IM worms in the past, and even went so far as to write a paper for work (internal-only distribution, sorry about that) where I went on to state that 2006 was shaping up to be the year of the IM worm. 2005 saw a flurry of IM worm families, and a lot more bots were including IM capabilities. The methods remained the same, namely link spamming.
And yet we haven't seen an explosion of IM worms. I don't know why, to be honest with you, all of the evidence suggested that attackers were picking that up dramatically. This does discount the Rbot/SpyBot/etc families using an AIM or MSN Messenger vector (in addition to their other vectors) to propagate, I'm focusing specifically on IM-specific worms. Why wasn't 2006 the year of the IM worm? We saw some, but it ddn't become a huge problem, and we didn't hear about massive network outages due to the IM worm problem like we did in 2005.
This is all prompted by The IM worms armada, posted on the Kaspersky AV weblog:
We've noticed an increase in the prevalence of Y!/MSN-aware worms. These rely on various social engineering tricks to lure the user into a malicious website.
We saw some reactions from the MSN Messenger network operators when they began blocking .pif links, which helped slow down some of the common links being spammed. It had a problem (case sensitivity), but it shows that they're trying to deal with the problem. Could this have cut down on the flurry of IM worms in 06?
Instant Messaging Worms, Analysis and CountermeasuresIM worms are an interesting beast. They have both built-in speedups for propagation via a buddy list, an a great control mechanism in the message routers for each network. We haven't seen the end of them, but they seem to be dominated by bots using link-spamming techniques to propagate. This paper, from WORM05, proposes throttling (which works) and CAPTCHA mechanisms to give a challenge-response mechanism for possibly malicious content. As I recall, the latter wasn't well received by the audience at WORM05, who felt that if you suspected content was dangerous why don't you just block it.
We provide a collection of minor results on the area of Instant Messaging (IM) worms, which has received relatively little attention in the formal literature. We review selected IM worms and summarize their main characteristics, motivating a brief overview of the network formed by IM contact lists, and a discussion of theoretical consequences of worms in such networks. Existing methods to restrict an IM worm epidemic are analyzed in terms of usability and effectiveness, leading to the suggestion of two minor variations to limit IM worm propagation. We believe these variations are more user-friendly and effective than existing published methods. We also provide brief results of a three and a half year user study of IM text messaging and file transfer frequency in a moderate-size public IM network – the largest such study to date – which is of independent interest, but also supports in part the preceding claim regarding user-friendliness.Source: Instant Messaging Worms, Analysis and Countermeasures, M. Mannan, P.C. van Oorschot. WORM 2005 (ACM Workshop on Rapid Malcode).
Death of the IM-Worm?A short analysis piece from the folks over at VirusList, which is always a good site. This piece looks at the IM worm. I had expected 2006 to be the year of the IM worm, everything pointed that way. Looks like I was wrong. We still see a lot of bots have IM capabilities in them, but we're not seeing many pure IM worms. This article looks at the first half of 2006 and the trends in the IM worm space.
This article examines the evolution of the IM worm since the beginning of 2005. It is written from a European standpoint: this means that it does not include information about certain IM-Worms which did not spread widely in Europe. It also does not cover the topic of malware for certain IM clients such as icq, which are less commonly used in Europe.Source: Death of the IM-Worm?, Roel Schouwenberg, Senior Research Engineer, Kaspersky Lab BNL.
Although the first IM-Worm appeared in 2001, this type of malware didn’t become really common until the beginning of 2005. If we take a look at this period, it becomes clear that it’s very important to differentiate between IM Worms which were written with a range of aims.
Updated Microsoft Malware Removal Tool (Jan, 2006)It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware: listed on the website. The team responsible for the product are also blogging their work.
AIM users targeted again by IM worm, rootkit and adware
Via a ZDNet blog post, I came across this story. In a nutshell, it looks like a new IM worm is out there that not only installs bot software and a rootkit, but also a rootkit detection tool (Rootkit Revealer according to the reports). From the Vital Security weblog:
I think this is round 4 of the installs from these guys in the Middle-East - each one is a little more adventurous (and a little more scary) than the last. As for how you get nailed with this thing in IM, you're most at risk if you have already been infected with Lockx.exe or palsp.exe. That's not to say you're immune if those files aren't on board your PC - it's just that you would have to actively click the link in your chat client to get whacked. Anyone with Lockx.exe could find the bad guys have just sent it down the pipes anyway (like the BitTorrent installs). Of course, it goes without saying that they can control your AIM client and send messages to your buddy list too.
Source: IM Hackers distribute Rootkit and...Rootkit Revealer?!, Friday, January 06, 2006.
- Press Release: New IM Worm Targets AIM Users to Deliver Adware Payload, FaceTime Security.
- AIM users targeted again by IM worm, rootkit and adware, ZDNet blog, Friday, January 06, 2006.
The fact that someone is distributing an IM worm with an IRC bot and a rootkit should come as no surprise. This isn't new. What is odd, however, is the fact that it also comes with a tool to detect the rootkit. That's not something you see everyday.
If someone could send me a sample, I would happily post an analysis here.
Xanga Website XSS Worm, and IM Worm Using the WMF Attack
It looks like another social gathering site, Xanga, has been hit by an XSS worm. Xanga is a blogging site popular with middle school kids, think of it as LiveJournal for the younger masses. From: Xanga Hit By Script Worm from the always great SecuriTeam blog:
The worm consists of a simple HTML/script combination, and is highly primitive in nature. The worm propagates by using the XMLHTTP interface in some browsers to create worm-infected posts on the xanga weblogs of users who visit an infected site while signed in. This approach blurs the line between worm and old-style file infecting viruses. I’ll refer to it as a worm for clarity, since most of the literature on the recent MySpace attack uses the same term. Of particular note is that the worm is ‘dumb’ — it will repeatedly repost itself to previously-infected sites. The attack is extremely noisy, with each post carrying the malware’s obnoxious message.
Aside from the fact that such immature and badly-written messages as the one dropped by the worm would already stand out on most xanga blogs (that I care to read, anyway), the incessant reposting as the worm spread more than likely caused serious clogging. As a result, this worm’s life was extremely short. It is already over as you’re reading this analysis.
It appears upon further research that this worm was a variant of the similar Exodus worm that went quietly and unnoticed on December 19th. It was only in researching this outbreak that I saw the reports of Exodus. It appears that neither worm was written by a very skilled individual, as both strains are easily uprooted, browser-specific, badly-structured, trivially-decoded, and unnecessarily bloated. The worm is technically unimpressive (particularly vis-a-vis Exodus) and is a feat on par with the scores of VBSWG tweaks and edits following the infamous “Kournikova” worm outbreak of 2001.
In other news, I haven't commented on the WMF thing this week, but it looks like someone has gone and mashed up the IM worm space with an infected link via the normal IM link-spamming technique. This one is detected as an SDBot variant and appears to use the Kelvir IM-worm codebase, and affects the MSN network. You can find some analysis on the Kaspersky Lab Weblog: More on WMF exploitation. Both the F-Secure blog and the Kaspersky weblog have had great writeups, and so has the MoMusings blog, which has a concise, clear and accurate description of the situation.
IM worms: A 2005 review
2005 has been a busy year for IM-based worms as the table below shows. So far the state of the attack seems to be link spamming over AIM, and this trend doesn't look to stop. Consider this to be the same developmental stage as the late 1990's for e-mail based worms - no client side vulnerability attacks with specific exploits, just spamming and hoping someone is dumb enough to click.
|Date First Seen||Latest Date Seen||Threat Family Name||IM Networks Affected||Brief description|
|January, 2005||January, 2005||MyDoom.AL (a variant of the mass mailer family)||ICQ||Link spamming, joins a botnet|
|January, 2005||February, 2005||Bropia||MSN Messenger||Link spamming|
|February, 2005M||February, 2005||Aimdes||AIM||Link spamming|
|March, 2005||December, 2005||Kelvir||MSN Messenger||Link spamming, downloads a Spybot variant|
|April, 2005||May, 2005||Picrate||AIM||Link spamming, downloads a Spybot variant, and joins a botnet|
|April, 2005||July, 2005||Opanki||AIM||Link spamming, downloads a Spybot variant, and joins a botnet|
|April, 2005||August, 2005||Chod||MSN Messenger||Link spamming, installs spyware, joins a botnet|
|April, 2005||April, 2005||Velkbot||AIM, Yahoo!, MSN Messenger||Link spamming, installs spyware, joins a botnet|
|April, 2005||April, 2005||Gabloliz||AIM||Link spamming, joins a botnet|
|May, 2005||May, 2005||Pinkton||AIM||Link spamming|
|May, 2005||May, 2005||Doyorg||AIM||Link spamming, joins a botnet|
|August, 2005||August, 2005||Guapim||AIM, MSN||Link spamming, downloads a Spybot variant|
|October, 2005||October, 2005||Loxbot||AIM||Link spamming, joins a botnet|
|November, 2005||November, 2005||Yimper||AIM, Yahoo!||Link spamming|
|December, 2005||December, 2005||Santa||AIM, ICQ, MSN, Windows Messenger, Yahoo!||Link spamming related to holiday activity. Malicious software and a rootkit is downloaded and installed.|
|December, 2005||December, 2005||Dinoxi||AIM||Link spamming, joins a botnet|
|December, 2005||December, 2005||Myspace||AIM||Link spamming, some user interactivity|
So, what can you do to stop this? Again, taking the network-centric approach, run your own message router or a proxy and look for the out degree of the clients (ie how many people they try and contact in a short period of time), look for self similar messages, and throttle the message rate. eWeek covered some of this and more in IM Threats: The Dark Side of Innovation, an article on defense measures against IM-based attacks.
Two Minor Worms of Note: Kaiten, Santa
It's Thursday, and that must mean some more worms on the loose. Two relatively minor worms of note if only just to evaluate the state of the attack these days.
First up is the newer variant of the Linux Mambo worm in the wild. Mambo has an arbitrary command execution vulnerability which is exploited by the worm to fetch the kickoff script for the worm. If you've been attacked, you will see loglines like this:
It looks like the download site (18.104.22.168) has been disabled, but it was up earlier this morning (which helped to delay me posting this information). The worm installs two components. The first, mare, is Mambo attack vector. The second is a variant of the Kaiten bot. This variant connects to the IRC servers us.undernet.org and eu.undernet.org and can launch the standard suite of DDoS attacks. The callgraph to this component, named "ro" in this instance, is graphed here. So, what's the state of the hack? Pretty lousy, to be honest, even worse than the Linux Slapper worm from 2002 or so. Instead of building one big binary, the worm fetches a Bash script which in turn fetches two more binaries and launches them. It would have been easier to fetch the malware from the attacking node (and not a central site) and bundle it all in one executable.
The second thing making the rounds today is a new IM worm. I've spent part of the day building a chart of IM worm activity for 2005 which I plan to post tomorrow. But, right now, the Santa worm is the new kid on the block. Unlike past IM worms which have stuck to one or two networks, this one affects users of the following major IM networks: AOL, MSN Messenger, Yahoo!, and ICQ. I didn't find another IM worm that used all four major networks in the past year, so this is probably the most interesting thing about this worm. Other than that, it spams potential victims with links, installs a rootkit, and can steal information from an infected machine.
Nothing too major, but some stuff worth noting. Seems like everyone wants their own worm this year.
Rootkit-Armed Worm Attacking AIM
One of the more interesting developments this past week (and one that's helped keep me busy and away from posting here) is a new variant of the SDBotfamily which spreads over the AOL Instant Messenger (AIM) network. While there are a few variants of the URL and malcode installed, it's always the same order of operations:
The virus spreads via messages on AOL’s AIM software, either saying HILARIOUS!!! Or see thing!!!, with a URL. Clicking on the link takes the user to a web page that attempts to download a Trojan onto the computer using patchable flaws in the browser.
Source: AOL hit by IM virus, by Iain Thomson, postd to vnunet.com 28 Oct 2005.
This is the first variant of SDBot that I've seen that uses the AIM network to propagate, but otherwise this is a radpily emerging trend for malware: bootstrap onto the system, download a number of tools including a rootkit and spyware, use an IRC network for your botnet, and continue propagating.
Other information on this threat:
- SpyWare, Worm Propagating On AOL Instant Messenger Installs Rootkit on Technology News Daily.
- Rootkit-Armed Worm Attacking AIM on Information week.
- AIM worm plays nasty new trick on News.com.
- WORM.RBOT.CJN from Trend Micro.
It looks like most of the download sits have been taken down, but we'll certainly see more of this in the coming months.
Analysis and commentary This shows that attackers have yet to really fully automated IM-based worms. They spam their victims, gathered from the user's buddy list, with URLs that they have to click to download the malicious software. Once we start seeing AIM or MSN Messenger exploits packaged into these, we'll see a fully automated IM worm. But, so far that hasn't yet happened on a laarge scale, and I don't know why. I think it's only a matter of time before some enterprising malware author decides to break down that barrier.
Update Added this post to the IM worm category, look there for more historical data on IM worms.